Virus writing on the increase - Sasser worm the major irritant of 2004, but Netsky worms dominate reports

July 28, 2004 Sophos Press Release

Sophos charts virus activity for first six months of 2004

A report published by Sophos, a world leader in protecting businesses against viruses and spam, reveals that the number of new viruses being written is increasing. In total, Sophos has detected and protected against 4,677 new viruses in the first six months of 2004, up 21% on the same period last year.

The Sasser worm accounted for more than a quarter of all viruses reported to Sophos so far this year, even though the worm only first appeared in May.

Sasser claimed the top spot of the virus chart, in spite of the raging battle between the widespread Netsky and Bagle worms, which has wreaked havoc across the internet from mid-February. This war produced six of the most damaging viruses of the year so far, with Netsky-P proving to be the most prevalent. The good news for computer users was the May arrest of Sven Jaschan, the German teenager who confessed to authoring both the Sasser and Netsky worms.

For the first six months of 2004, the top ten viruses (as recorded by Sophos's global network of virus monitoring stations) are as follows, with the most frequently occurring virus at number one:

Position Malware Percentage of reports
1W32/Sasser
   26.1%
2W32/Netsky-P
   21.4%
3W32/Netsky-B
   11.0%
4W32/Netsky-D
   6.8%
5W32/MyDoom-A
   4.4%
6W32/Zafi-B
   4.0%
7W32/Netsky-Z
   3.1%
8WW32/Netsky-C
   2.4%
9W32/Sober-C
   1.5%
10W32/Bagle-A
   1.2%
Others18.1%

"Following in the footsteps of last year's hard-hitting Blaster worm, Sasser exploited a critical vulnerability in Microsoft's operating system in order to spread - this type of worm is proving to be extremely 'successful' as Microsoft is finding it tough to ensure computer users apply patches as soon as the flaws are discovered," said Graham Cluley, senior technology consultant at Sophos. "Sasser may have taken top spot, but six of the biggest viruses of the last six months were all Netsky and Bagle variants - these caused a continued nuisance for PC users the world over as their authors entered into a very public game of virus writing one-upmanship."

"Reassuringly, virus writers haven't had it all their own way so far in 2004. Increased scrutiny from law enforcement agencies and Microsoft's bounty initiative to encourage people to snitch on virus writers, led to a very high profile arrest in Germany. Sven Jaschan, teenage author of the Sasser worm and member of Skynet, the gang responsible for distributing Netsky, confessed in May. The German virus-writing community has been relatively quiet ever since," continued Cluley.

MyDoom, the fifth most damaging virus so far this year, highlights the increasing trend for virus writers to attempt to create zombie armies of possessed PCs. This worm, which first appeared in January, opened a backdoor into infected PCs, allowing hackers to launch distributed denial of service attacks on the websites belonging to Microsoft and SCO.

The sixth most prevalent virus so far this year, the Zafi-B worm, is a prime example of how virus writers can use their malicious code to distribute political messages. This worm called for the Hungarian government to house the homeless and introduce the death penalty against criminals. It continues to be extremely successful in infecting computer users, spreading itself by email and peer-to-peer filesharing systems.

First mobile phone virus discovered

The Cabir worm, first seen in June, was a proof of concept mobile phone virus. The worm that was written by the virus writing gang 29A, proved that it was possible for a virus to spread via Bluetooth to other compatible mobile phones in the vicinity. The worm posed no threat to mobile phone users as the virus was not released in the wild.

More arrests

The first female to be charged with distributing a virus was arrested in February. Kim Vanvaeck, aka 'Gigabyte', suspected author of several viruses including Coconut-A, Sahay-A and Sharp-A, was arrested by Belgian authorities and charged with computer sabotage. If convicted she faces up to three years in prison and fines of up to 100,000 Euros.

In May, Wang Ping-an, a 30-year-old computer engineer was arrested in Taiwan for allegedly writing and distributing a Trojan horse that enabled hackers to steal sensitive information from the island's government computers.

"These arrests have sent a strong message to the virus community that the authorities will not turn a blind eye to criminal computer activity. However, the real deterrent will be tough sentencing. It will be interesting to see what punishments are dished out by the authorities against convicted virus writers and distributors," added Cluley.

Sophos has made available a free, constantly updated information feed for intranets and websites which means users can always find out about the latest viruses and hoaxes.

Graphics of the virus Top Ten chart are available here.

More information about safe computing, including anti-hoax policies.